[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    IPFilter,Quake,etc..
From:       ArkanoiD <ark () paranoid ! convey ! ru>
Date:       1997-03-26 0:52:03
[Download RAW message or body]

My apologies,Darren - you asked me not to do Evil Things but i did <g>..
I did some modification to IPFilter code to make Quake work with it..
Actually i do not play Quake at all. I even never tried. But.. some
cow-orkers around here said they really need it.. First,how does Quake
work via udp?

---

 The Quake client sends a packet:

 80 00 00 0c 02 Q U A K E 00 03

 This is a server ping, and provokes a reply informing of the server
 state:

 80 00 00 2b 83 host:port 00 hostname 00 mapname 00 num-player max-player 03

 ... where num-player and max-player are bytes, mapname, hostname
 and host:port are strings, host is string representation of host
 IP, and hostname is a DNS name typically, but can be anything.

 Client then sends, from a new port:

 80 00 00 0c 01 Q U A K E 00 03

 Server replies with a port change, from the server port to the
 client port:

 80 00 00 09 81 (port % 256) (port / 256) 00 00

 Things get fairly hairy at this point, but keepalives (both
 directions) appear to be:

 00 02 00 08 00 00 00 xx

 where xx is a sequence number starting at 00. Sequence numbers are
 independent.

---

So.. i asked Darren if it is possible to modify IPfilter to let it go
through. He replied i should not do and i should write and application-level
proxy instead.. Simple application-level proxy. I started to think on
modifying udprelay to do.. another problem appeared: some servers do not
allow more than one client per ip address. 

So what did i do? I removed the check for source port in
nat_inlookup and checks for destination ports in nat_lookupmapip and 
nat_outlookup.. so it works for existing NAT entries only.
It does not affect tcp 
and does not cause problems with udp security - for the same reason:
it works with existing NAT entries and so it requires UDP connection to
be estabilished from inside - and other port and addrsses checks still exist..
At least seems not to cause.
Comments and even flames welcome.

-- 
                                       _     _  _  _  _      _  _
   {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
   (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
   [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

[prev in list] [next in list] [prev in thread] [next in thread]